Fix CVE-2017-7976:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7976
https://bugs.ghostscript.com/show_bug.cgi?id=697683

In order to make the bug-fix patch apply, we also include an earlier commit
that it depends on.

Patches copied from upstream source repository:

Earlier commit, creating context for the CVE fix:
https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=9d2c4f3bdb0bd003deae788e7187c0f86e624544

CVE-2017-7976 bug fix:
https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=cfa054925de49675ac5445515ebf036fa9379ac6

From 9d2c4f3bdb0bd003deae788e7187c0f86e624544 Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor.andersson@artifex.com>
Date: Wed, 14 Dec 2016 15:56:31 +0100
Subject: [PATCH] Fix warnings: remove unsigned < 0 tests that are always
 false.

---
 jbig2_image.c       | 2 +-
 jbig2_mmr.c         | 2 +-
 jbig2_symbol_dict.c | 9 ++-------
 3 files changed, 4 insertions(+), 9 deletions(-)

diff --git a/jbig2_image.c b/jbig2_image.c
index 94e5a4c..00f966b 100644
--- a/jbig2_image.c
+++ b/jbig2_image.c
@@ -256,7 +256,7 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
     /* general OR case */
     s = ss;
     d = dd = dst->data + y * dst->stride + leftbyte;
-    if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
+    if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
         return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose");
     }
     if (leftbyte == rightbyte) {
diff --git a/jbig2_mmr.c b/jbig2_mmr.c
index 390e27c..da54934 100644
--- a/jbig2_mmr.c
+++ b/jbig2_mmr.c
@@ -977,7 +977,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
             if (b1 < 2)
                 break;
             if (c) {
-                if (b1 - 2 < a0 || a0 < 0)
+                if (a0 == MINUS1 || b1 - 2 < a0)
                     return -1;
                 jbig2_set_bits(dst, a0, b1 - 2);
             }
diff --git a/jbig2_symbol_dict.c b/jbig2_symbol_dict.c
index 11a2252..4acaba9 100644
--- a/jbig2_symbol_dict.c
+++ b/jbig2_symbol_dict.c
@@ -92,11 +92,6 @@ jbig2_sd_new(Jbig2Ctx *ctx, uint32_t n_symbols)
 {
     Jbig2SymbolDict *new_dict = NULL;
 
-    if (n_symbols < 0) {
-        jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "Negative number of symbols in symbol dict: %d", n_symbols);
-        return NULL;
-    }
-
     new_dict = jbig2_new(ctx, Jbig2SymbolDict, 1);
     if (new_dict != NULL) {
         new_dict->glyphs = jbig2_new(ctx, Jbig2Image *, n_symbols);
@@ -613,7 +608,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
             uint32_t j;
             int x;
 
-            if (code || (BMSIZE < 0)) {
+            if (code) {
                 jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "error decoding size of collective bitmap!");
                 goto cleanup4;
             }
@@ -716,7 +711,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
                 code = jbig2_arith_int_decode(IAEX, as, (int32_t *)&exrunlength);
             /* prevent infinite loop */
             zerolength = exrunlength > 0 ? 0 : zerolength + 1;
-            if (code || (exrunlength > limit - i) || (exrunlength < 0) || (zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) {
+            if (code || (exrunlength > limit - i) || (zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) {
                 if (code)
                     jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to decode exrunlength for exported symbols");
                 else if (exrunlength <= 0)
-- 
2.13.0

From cfa054925de49675ac5445515ebf036fa9379ac6 Mon Sep 17 00:00:00 2001
From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
Date: Wed, 10 May 2017 17:50:39 +0100
Subject: [PATCH] Bug 697683: Bounds check before reading from image source
 data.

Add extra check to prevent reading off the end of the image source
data buffer.

Thank you to Dai Ge for finding this issue and suggesting a patch.
---
 jbig2_image.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/jbig2_image.c b/jbig2_image.c
index 661d0a5..ae161b9 100644
--- a/jbig2_image.c
+++ b/jbig2_image.c
@@ -263,7 +263,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
     /* general OR case */
     s = ss;
     d = dd = dst->data + y * dst->stride + leftbyte;
-    if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
+    if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride ||
+        s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) {
         return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose");
     }
     if (leftbyte == rightbyte) {
-- 
2.13.0

